b'Trusted Information Systems Review\n\n(Report No. 03-028, April 14, 2003)\n\nSummary\n\nInternational Business Machines (IBM), an independent professional services firm, was engaged\nby the Office of Inspector General (OIG) to perform a vulnerability assessment of the Federal\nDeposit Insurance Corporation\xe2\x80\x99s (FDIC) network operations. The work accomplished through\nthis contract helped the OIG satisfy its Federal Information Security Management Act-related\nreporting requirements.\n\nThe objectives of the review were to (1) evaluate the controls, policies, and procedures for the\nFDIC\xe2\x80\x99s Public Key Infrastructure (PKI); (2) analyze and test the FDIC\xe2\x80\x99s connectivity with third-\nparty organizations such as contractors; and (3) evaluate the FDIC\xe2\x80\x99s controls over sensitive data.\nThe scope of the review was specifically designed to focus on the progress achieved by the FDIC\nin developing and implementing effective information security policies for its trusted\nrelationships, that is, network connections that the FDIC has with banks, contractors, and other\ngovernment agencies.\n\nDuring the review, IBM noted that the FDIC had implemented a number of good security\npractices but that improvements were needed in PKI operations, contractor-connected systems,\nand protection of data provided to third parties.\n\nRecommendations\n\nIBM made recommendations to FDIC\xe2\x80\x99s Division of Information and Resources Management\n(DIRM) and Division of Administration (DOA) to improve network integrity, performance, and\ncontrols.\n\nManagement Response\n\nDIRM\xe2\x80\x99s and DOA\xe2\x80\x99s responses to the report satisfactorily address the noted areas.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c'